Open Bug 1701658 Opened 3 years ago Updated 2 years ago

Firefox crash when load a PKCS#11 Module which use std::regex_search

Categories

(Core :: Security: PSM, defect, P5)

Product:
Core
Component:
Security: PSM
Version:
Firefox 87
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
REOPENED

People

(Reporter: haya.dav.id.so.nt.m.p, Unassigned)

Details

(Whiteboard: [psm-smartcard])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0

Steps to reproduce:

  • Install Debian 10 without DEB Firefox or Fedora 33 without RPM Firefox
  • download firefox 87 from mozilla.org I tested also 81.0.2 and 81.0.1
  • download CIE Middleware 1.3.1.0 from https://www.cartaidentita.interno.gov.it/identificazione-digitale/software-cie/ this module is the official module for access to electronic document, you can use deb for debian or rpm for fedora, or there is also a tar.gz
  • about:preferences -> Privacy & Security -> Security Devices -> Load
  • choose libcie-pkcs11.so from /usr/local/lib

Actual results:

Firefox crash and ask to restart or send a report.

If use the firefox package from distribution firefox-esr 78 for debian 10 or firefox 81.0.1 for fedora 33. Firefox don't crash and load so.

Expected results:

Firefox should load the module and access to pcscd daemon for read NFC Card.

You can find source of this library here: https://github.com/italia/cie-middleware-linux I tried to debug the code and I found the point where firefox crash: https://github.com/italia/cie-middleware-linux/blob/master/cie-pkcs11/Util/log.cpp#L92

std::regex_search(path, match, std::regex("^/(home|root)/"));

I tried to copy the code in a simple program and compile, it's works. The same library is used in a java program with sun jna and works.
The same library if loaded in firefox distribuited from linux distribution works, it's crash only when I load from firefox downloaded from mozilla.org.

In my fork https://github.com/etmatrix/cie-middleware-linux/commit/2d5d2bd93df328e38e349b2b08893f24e92e36bf I removed that code and works.
For now is good as workaround, I would like to understand why firefox crash?

Severity: -- → S3
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
Priority: -- → P3
Component: Untriaged → Security
Crash Signature: AdapterDeviceID: 0x5917 AdapterDriverVendor: mesa/i965 AdapterDriverVersion: 18.3.6.0 AdapterVendorID: 0x8086 Add-ons: doh-rollout%40mozilla.org:2.0.0,formautofill%40mozilla.org:1.0,screenshots%40mozilla.org:39.0.0,webcompat%40mozilla.org:20.1.0,defau…

AdapterDeviceID: 0x5917
AdapterDriverVendor: mesa/i965
AdapterDriverVersion: 18.3.6.0
AdapterVendorID: 0x8086
Add-ons: doh-rollout%40mozilla.org:2.0.0,formautofill%40mozilla.org:1.0,screenshots%40mozilla.org:39.0.0,webcompat%40mozilla.org:20.1.0,default-theme%40mozilla.org:1.1,google%40search.mozilla.org:1.1,amazondotcom%40search.mozilla.org:1.3,wikipedia%40search.mozilla.org:1.1,bing%40search.mozilla.org:1.3,ddg%40search.mozilla.org:1.1
AvailablePageFile: 6907809792
AvailablePhysicalMemory: 4202950656
AvailableSwapMemory: 8849260544
AvailableVirtualMemory: 5334634496
BuildID: 20210318103112
ContentSandboxCapabilities: 87
ContentSandboxCapable: 1
ContentSandboxLevel: 4
CrashTime: 1617266073
DOMIPCEnabled: 1
DesktopEnvironment: lxde
EMCheckCompatibility: true
EventLoopNestingLevel: 2
ExperimentalFeatures: browser.startup.homepage.abouthome_cache.enabled,network.cookie.sameSite.laxByDefault,network.cookie.sameSite.noneRequiresSecure,network.cookie.sameSite.schemeful,layout.css.constructable-stylesheets.enabled,layout.css.grid-template-masonry-value.enabled,devtools.inspector.color-scheme-simulation.enabled,devtools.inspector.compatibility.enabled,devtools.webconsole.input.context,devtools.debugger.features.windowless-service-workers,fission.autostart,network.http.http3.enabled,image.avif.enabled,media.videocontrols.picture-in-picture.allow-multiple,browser.urlbar.keepPanelOpenDuringImeComposition,dom.forms.inputmode,dom.webgpu.enabled,privacy.webrtc.globalMuteToggles
FramePoisonBase: 9223372036600930304
FramePoisonSize: 4096
GraphicsCriticalError: |[0][GFX1-]: glxtest: libEGL missing eglGetDisplayDriverName (t=12.4228)
InstallTime: 1616961389
IsWayland: 0
IsWaylandDRM: 0
Notes: Debian GNU/Linux 10 (buster)FP(D00-L1000-W00000000-T000) Has dual GPUs. GPU #2: AdapterVendorID2: 0x1002, AdapterDeviceID2: 0x6900WR? WR- OMTP? OMTP+4
ProductID: {ec8030f7-c20a-464f-9b0e-13a3a9e97384}
ProductName: Firefox
RDDProcessStatus: Running
ReleaseChannel: release
SafeMode: 0
SecondsSinceLastCrash: 255455
StartupCrash: 0
StartupTime: 1617266004
TelemetryEnvironment: {"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20210318103112","version":"87.0","vendor":"Mozilla","displayVersion":"87.0","platformVersion":"87.0","xpcomAbi":"x86_64-gcc3","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":7640,"virtualMaxMB":null,"cpu":{"count":8,"cores":4,"vendor":"GenuineIntel","family":6,"model":142,"stepping":10,"l2cacheKB":256,"l3cacheKB":8192,"speedMHz":4000,"extensions":["hasMMX","hasSSE","hasSSE2","hasSSE3","hasSSSE3","hasSSE4_1","hasSSE4_2","hasAVX","hasAVX2","hasAES"]},"os":{"name":"Linux","version":"4.19.0-16-amd64","locale":"en-US"},"hdd":{"profile":{"model":null,"revision":null,"type":null},"binary":{"model":null,"revision":null,"type":null},"system":{"model":null,"revision":null,"type":null}},"gfx":{"D2DEnabled":null,"DWriteEnabled":null,"ContentBackend":"Skia","Headless":false,"EmbeddedInFirefoxReality":null,"adapters":[{"description":"Mesa DRI Intel(R) UHD Graphics 620 (Kabylake GT2) ","vendorID":"0x8086","deviceID":"0x5917","subsysID":null,"RAM":3072,"driver":null,"driverVendor":"mesa/i965","driverVersion":"18.3.6.0","driverDate":null,"GPUActive":true},{"description":null,"vendorID":"0x1002","deviceID":"0x6900","subsysID":null,"RAM":null,"driver":null,"driverVendor":null,"driverVersion":null,"driverDate":null,"GPUActive":false}],"monitors":[{"screenWidth":1920,"screenHeight":1080}],"features":{"compositor":"basic","hwCompositing":{"status":"blocked:"},"gpuProcess":{"status":"unused"},"wrQualified":{"status":"denied"},"webrender":{"status":"disabled:FEATURE_FAILURE_NOT_QUALIFIED"},"wrCompositor":{"status":"disabled:FEATURE_FAILURE_DISABLED"},"wrSoftware":{"status":"denied"},"openglCompositing":{"status":"unavailable:FEATURE_FAILURE_OPENGL_NEED_HWCOMP"},"omtp":{"status":"available"}}},"appleModelId":null},"settings":{"blocklistEnabled":true,"e10sEnabled":true,"e10sMultiProcesses":8,"fissionEnabled":false,"telemetryEnabled":false,"locale":"en-US","intl":{"requestedLocales":["en-US"],"availableLocales":["en-US"],"appLocales":["en-US"],"systemLocales":["en-US"],"regionalPrefsLocales":["it-IT"],"acceptLanguages":["en-US","en"]},"update":{"channel":"release","enabled":true,"autoDownload":true},"userPrefs":{"browser.search.widget.inNavBar":false,"widget.content.allow-gtk-dark-theme":false,"widget.content.gtk-high-contrast.enabled":true,"browser.search.region":"IT"},"sandbox":{"effectiveContentProcessLevel":4},"addonCompatibilityCheckEnabled":true,"isDefaultBrowser":true,"defaultSearchEngine":"google-b-d","defaultSearchEngineData":{"loadPath":"[other]addEngineWithDetails:google@search.mozilla.org","name":"Google","origin":"default","submissionURL":"https://www.google.com/search?client=firefox-b-d&q="}},"profile":{"creationDate":18718,"firstUseDate":18718},"addons":{"activeAddons":{"doh-rollout@mozilla.org":{"version":"2.0.0","scope":1,"type":"extension","updateDay":18499,"isSystem":true,"isWebExtension":true,"multiprocessCompatible":true,"blocklisted":false,"description":"This used to be a Mozilla add-on that supported the roll-out of DoH, but now only exists as a stub t","name":"DoH Roll-Out","userDisabled":false,"appDisabled":false,"foreignInstall":false,"hasBinaryComponents":false,"installDay":18499},"formautofill@mozilla.org":{"version":"1.0","scope":1,"type":"extension","updateDay":18711,"isSystem":true,"isWebExtension":true,"multiprocessCompatible":true,"blocklisted":false,"description":null,"name":"Form Autofill","userDisabled":false,"appDisabled":false,"foreignInstall":false,"hasBinaryComponents":false,"installDay":18711},"screenshots@mozilla.org":{"version":"39.0.0","scope":1,"type":"extension","updateDay":18681,"isSystem":true,"isWebExtension":true,"multiprocessCompatible":true,"blocklisted":false,"description":"Take clips and screenshots from the Web and save them temporarily or permanently.","name":"Firefox Screenshots","userDisabled":false,"appDisabled":false,"foreignInstall":false,"hasBinaryComponents":false,"installDay":18681},"webcompat@mozilla.org":{"version":"20.1.0","scope":1,"type":"extension","updateDay":18711,"isSystem":true,"isWebExtension":true,"multiprocessCompatible":true,"blocklisted":false,"description":"Urgent post-release fixes for web compatibility.","name":"Web Compatibility Interventions","userDisabled":false,"appDisabled":false,"foreignInstall":false,"hasBinaryComponents":false,"installDay":18711}},"theme":{},"activePlugins":[{"name":"dummy","version":"0.1","description":"Blocklist unavailable","blocklisted":false,"disabled":true,"clicktoplay":false,"mimeTypes":["text/there.is.only.blocklist"],"updateDay":18718}],"activeGMPlugins":{"dummy-gmp":{"version":"0.1","userDisabled":false,"applyBackgroundUpdates":1}}}}
ThreadIdNameMapping: 5370:"IPC I/O Parent",5371:"Timer",5372:"Netlink Monitor",5373:"Socket Thread",5374:"Permission",5380:"JS Watchdog",5381:"JS Helper",5382:"JS Helper",5384:"JS Helper",5383:"JS Helper",5385:"JS Helper",5387:"JS Helper",5388:"JS Helper",5386:"JS Helper",5393:"Cache2 I/O",5394:"Cookie",5398:"DOM Worker",5399:"IPDL Background",5400:"StreamTrans #4",5402:"Worker Launcher",5403:"SoftwareVsyncThread",5404:"Compositor",5405:"ImageIO",5411:"QuotaManager IO",5414:"TRR Background",5418:"StyleThread#0",5420:"StyleThread#2",5422:"StyleThread#4",5421:"StyleThread#3",5419:"StyleThread#1",5423:"StyleThread#5",5424:"Breakpad Server",5426:"IPC Launch",5428:"GMPThread",5430:"ImageBridgeChld",5431:"FS Broker 5427",5432:"ProcessHangMon",5456:"FS Broker 5448",5475:"TaskController Thread #1",5474:"TaskController Thread #0",5476:"TaskController Thread #2",5477:"TaskController Thread #3",5479:"TaskController Thread #5",5480:"TaskController Thread #6",5478:"TaskController Thread #4",5481:"DOM Worker",5488:"BgIOThreadPool #1",5491:"DNS Resolver #1",5493:"DNS Resolver #2",5494:"Cache I/O",5498:"FS Broker 5495",5499:"URL Classifier",5510:"DOM Worker",5516:"localStorage DB",5515:"localStorage DB",5519:"mozStorage #1",5532:"HTML5 Parser",5538:"IndexedDB #3",5544:"mozStorage #2",5545:"DNS Resolver #3",5552:"mozStorage #3",5577:"mozStorage #5",5583:"FS Broker 5581",5627:"mozStorage #6",5676:"StreamTrans #10",5679:"mozStorage #7",5684:"FS Broker 5682",5739:"mozStorage #8",5746:"FS Broker 5743",5772:"BackgroundThreadPool #9",5791:"FS Broker 5778",5897:"StreamTrans #11",
Throttleable: 1
TotalPageFile: 16860266496
TotalPhysicalMemory: 8011005952
URL: about:preferences#privacy
UptimeTS: 80.89840105
Vendor: Mozilla
Version: 87.0
useragent_locale: en-US

This report also contains technical information about the state of the application when it crashed.

Component: Security → Security: PSM
Product: Firefox → Core

The product::component has been changed since the backlog priority was decided, so we're resetting it.
For more information, please visit auto_nag documentation.

Priority: P3 → --

Closing because no crashes reported for 12 weeks.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
Severity: S3 → S4
Status: RESOLVED → REOPENED
Crash Signature: AdapterDeviceID: 0x5917 AdapterDriverVendor: mesa/i965 AdapterDriverVersion: 18.3.6.0 AdapterVendorID: 0x8086 Add-ons: doh-rollout%40mozilla.org:2.0.0,formautofill%40mozilla.org:1.0,screenshots%40mozilla.org:39.0.0,webcompat%40mozilla.org:20.1.0,defau…
Ever confirmed: true
Priority: -- → P5
Resolution: WORKSFORME → ---
Whiteboard: [psm-smartcard]
You need to log in before you can comment on or make changes to this bug.